After getting some reports on twitter about Tor being blocked in Turkey and some chat on IRC, <bypassemall> aka <trdpi> aka <kzdpi> ran some tests and found some interesting information about how Turkey is blocking vanilla Tor connections. I paste their findings here:

16:48 < trdpi> 10 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE
16:48 < trdpi> after less than 10 seconds
...
16:55 < trdpi> this isp injects rst it seems
16:56 < trdpi> to both side, as i got 2 rst one legit and 2 not
16:57 < mrphs> oh apparently today is an special day in turkey
...
17:00 < trdpi> telneting to or port, no rsts. it triggered by something more than ip:port connection
17:01 < trdpi> yay, window trick for split req works for tr
17:02 < trdpi> magic tool allows to bypass vanilla tor censorship
17:04 < trdpi> so it's about ciphersuits or something
17:07 < trdpi> it's like kz, but obfs4 works
17:07 < trdpi> and kz do not rsts
17:07 < trdpi> it controlls connection
17:07 < trdpi> and tr like do not controlls and to inject fraud only

Tor metrics graphs show a large increase in users (both relay and bridge) in recent days, starting on 2016-12-12. I first heard of it from ​Joss Wright's twitter reporting a find of their ​anomaly detector.

The brief spike in relay users and sustained jump in bridge users on November 4 was the same date as ​government orders to block Tor and VPNs. The more recent increase on December 12, I don't know what might have caused.

If what trdpi says is correct, that the firewall is breaking connections that are already partly underway, that could account for the seemingly increased number of users. Users are counted indirectly by ​counting directory requests. Connections might be getting broken after a directory request is sent but before the connection becomes useful. This is just a guess. The OONI reports say that bootstrapping failed at 10%, which is where you make a directory request, but you can also get to 10% even with no connectivity, I believe.

Maybe it's only pluggable transport connections. comment:8 shows pluggable transports getting to around 50% bootstrapped. Especially if tor is retrying failed connections, that may account for an increase in the number of directory requests.

Extra data point. Since December 13th, our directory authorities have seen a significant increase in consensus direct download timeout. Below is a graph that shows you the stat over time for the "div-v3-direct-dl-timeout" statistics reported by dirauth I'm collecting:

Extra data point. Since December 13th, our directory authorities have seen a significant increase in consensus direct download timeout. Below is a graph that shows you the stat over time for the "div-v3-direct-dl-timeout" statistics reported by dirauth I'm collecting:

dgoulet, good find! This indeed makes me think that the metrics graphs are overcounting users in this case where consensus downloads are being interrupted. That's why the direct-user graphs show more users when in reality there are probably fewer.

#18203 is a proposal to base direct-user counts on directory responses, rather than directory requests. Doing that might solve this overcounting issue. (Apparently bridge counts are already based on responses.) In normal operation, it doesn't matter, because the number of requests should be very close to the number of responses—karsten showed this in a graph of responses vs. requests, which is almost a perfect y=x line. Presumably, if we made the same graph again today, there would be a lot of points beneath the line (more requests than responses, because some responses fail).

Turkey Blocks finds that the Tor direct access mode is now restricted for most internet users throughout the country; Tor usage via bridges including obfs3 and obfs4 remains viable, although we see indications that obfs3 is being downgraded by some service providers with scope for similar on restrictions obfs4. The restrictions are being implemented in tandem with apparent degradation of commercial VPN service traffic.

Direct Tor access restrictions started around 12 December 2016. Tor’s direct mode is now entirely unusable via providers TTNet and UyduNet on the residential broadband connections we tested. Deep Packet Inspection (DPI) is likely used to disrupt the connection phase, which stalls around the 10% mark.

Connection is possible using obfs3 and obfs4 Tor bridges with both providers. While obfs4 is effective across all configurations, obfs3 intermittently fails with TTNet.

Where we expected a fall in usage corresponding to widespread reports of failure to access the Tor network, charts instead show a huge increase in Tor usage over the same period.

During tests we saw over a hundred connection attempts associated with a single user connection request, leading us to favour the theory Tor metrics have incorrectly counted these failed attempts in their overall usage tally.

Though number of bridge users seems to be 1/3 of typical direct connections to Tor.

I'm guessing this could be due to 2 factors: 1) People not knowing about bridges or how to configure them. Tor stops working they assume it's blocked and there's no way around and 2) Pluggable Transport being too slow for them to function.

19 months later, there's a very similar pattern in relay users from Turkey, jumping from 5k to 30k in about a day, on 2018-06-09. Is it another blocking event that's resulting in an illusory increase in the number of users? A Reddit user ​reports on 2018-06-29 that Tor is blocked.

19 months later, there's a very similar pattern in relay users from Turkey, jumping from 5k to 30k in about a day, on 2018-06-09. Is it another blocking event that's resulting in an illusory increase in the number of users?

Here are some OONI graphs (update of comment:4). Unfortunately there are no reports from the past two months, when the apparent big increase in users began.